From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Mike Christie <michael.christie@oracle.com>,
Manish Rangankar <mrangankar@marvell.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 5.13 048/114] scsi: qedi: Fix race during abort timeouts
Date: Fri, 9 Jul 2021 22:16:42 -0400 [thread overview]
Message-ID: <20210710021748.3167666-48-sashal@kernel.org> (raw)
In-Reply-To: <20210710021748.3167666-1-sashal@kernel.org>
From: Mike Christie <michael.christie@oracle.com>
[ Upstream commit 2ce002366a3fcc3f9616d4583194f65dde0ad253 ]
If the SCSI cmd completes after qedi_tmf_work calls iscsi_itt_to_task then
the qedi qedi_cmd->task_id could be freed and used for another cmd. If we
then call qedi_iscsi_cleanup_task with that task_id we will be cleaning up
the wrong cmd.
Wait to release the task_id until the last put has been done on the
iscsi_task. Because libiscsi grabs a ref to the task when sending the
abort, we know that for the non-abort timeout case that the task_id we are
referencing is for the cmd that was supposed to be aborted.
A latter commit will fix the case where the abort times out while we are
running qedi_tmf_work.
Link: https://lore.kernel.org/r/20210525181821.7617-21-michael.christie@oracle.com
Reviewed-by: Manish Rangankar <mrangankar@marvell.com>
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qedi/qedi_fw.c | 15 ---------------
drivers/scsi/qedi/qedi_iscsi.c | 20 +++++++++++++++++---
2 files changed, 17 insertions(+), 18 deletions(-)
diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c
index cf57b4e49700..c12bb2dd5ff9 100644
--- a/drivers/scsi/qedi/qedi_fw.c
+++ b/drivers/scsi/qedi/qedi_fw.c
@@ -73,7 +73,6 @@ static void qedi_process_logout_resp(struct qedi_ctx *qedi,
spin_unlock(&qedi_conn->list_lock);
cmd->state = RESPONSE_RECEIVED;
- qedi_clear_task_idx(qedi, cmd->task_id);
__iscsi_complete_pdu(conn, (struct iscsi_hdr *)resp_hdr, NULL, 0);
spin_unlock(&session->back_lock);
@@ -138,7 +137,6 @@ static void qedi_process_text_resp(struct qedi_ctx *qedi,
spin_unlock(&qedi_conn->list_lock);
cmd->state = RESPONSE_RECEIVED;
- qedi_clear_task_idx(qedi, cmd->task_id);
__iscsi_complete_pdu(conn, (struct iscsi_hdr *)resp_hdr_ptr,
qedi_conn->gen_pdu.resp_buf,
@@ -164,13 +162,11 @@ static void qedi_tmf_resp_work(struct work_struct *work)
iscsi_block_session(session->cls_session);
rval = qedi_cleanup_all_io(qedi, qedi_conn, qedi_cmd->task, true);
if (rval) {
- qedi_clear_task_idx(qedi, qedi_cmd->task_id);
iscsi_unblock_session(session->cls_session);
goto exit_tmf_resp;
}
iscsi_unblock_session(session->cls_session);
- qedi_clear_task_idx(qedi, qedi_cmd->task_id);
spin_lock(&session->back_lock);
__iscsi_complete_pdu(conn, (struct iscsi_hdr *)resp_hdr_ptr, NULL, 0);
@@ -245,8 +241,6 @@ static void qedi_process_tmf_resp(struct qedi_ctx *qedi,
goto unblock_sess;
}
- qedi_clear_task_idx(qedi, qedi_cmd->task_id);
-
__iscsi_complete_pdu(conn, (struct iscsi_hdr *)resp_hdr_ptr, NULL, 0);
kfree(resp_hdr_ptr);
@@ -314,7 +308,6 @@ static void qedi_process_login_resp(struct qedi_ctx *qedi,
"Freeing tid=0x%x for cid=0x%x\n",
cmd->task_id, qedi_conn->iscsi_conn_id);
cmd->state = RESPONSE_RECEIVED;
- qedi_clear_task_idx(qedi, cmd->task_id);
}
static void qedi_get_rq_bdq_buf(struct qedi_ctx *qedi,
@@ -468,7 +461,6 @@ static int qedi_process_nopin_mesg(struct qedi_ctx *qedi,
}
spin_unlock(&qedi_conn->list_lock);
- qedi_clear_task_idx(qedi, cmd->task_id);
}
done:
@@ -673,7 +665,6 @@ static void qedi_scsi_completion(struct qedi_ctx *qedi,
if (qedi_io_tracing)
qedi_trace_io(qedi, task, cmd->task_id, QEDI_IO_TRACE_RSP);
- qedi_clear_task_idx(qedi, cmd->task_id);
__iscsi_complete_pdu(conn, (struct iscsi_hdr *)hdr,
conn->data, datalen);
error:
@@ -730,7 +721,6 @@ static void qedi_process_nopin_local_cmpl(struct qedi_ctx *qedi,
cqe->itid, cmd->task_id);
cmd->state = RESPONSE_RECEIVED;
- qedi_clear_task_idx(qedi, cmd->task_id);
spin_lock_bh(&session->back_lock);
__iscsi_put_task(task);
@@ -748,7 +738,6 @@ static void qedi_process_cmd_cleanup_resp(struct qedi_ctx *qedi,
itt_t protoitt = 0;
int found = 0;
struct qedi_cmd *qedi_cmd = NULL;
- u32 rtid = 0;
u32 iscsi_cid;
struct qedi_conn *qedi_conn;
struct qedi_cmd *dbg_cmd;
@@ -779,7 +768,6 @@ static void qedi_process_cmd_cleanup_resp(struct qedi_ctx *qedi,
found = 1;
mtask = qedi_cmd->task;
tmf_hdr = (struct iscsi_tm *)mtask->hdr;
- rtid = work->rtid;
list_del_init(&work->list);
kfree(work);
@@ -821,8 +809,6 @@ static void qedi_process_cmd_cleanup_resp(struct qedi_ctx *qedi,
if (qedi_cmd->state == CLEANUP_WAIT_FAILED)
qedi_cmd->state = CLEANUP_RECV;
- qedi_clear_task_idx(qedi_conn->qedi, rtid);
-
spin_lock(&qedi_conn->list_lock);
if (likely(dbg_cmd->io_cmd_in_list)) {
dbg_cmd->io_cmd_in_list = false;
@@ -856,7 +842,6 @@ static void qedi_process_cmd_cleanup_resp(struct qedi_ctx *qedi,
QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_TID,
"Freeing tid=0x%x for cid=0x%x\n",
cqe->itid, qedi_conn->iscsi_conn_id);
- qedi_clear_task_idx(qedi_conn->qedi, cqe->itid);
} else {
qedi_get_proto_itt(qedi, cqe->itid, &ptmp_itt);
diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c
index ef16537c523c..a7003847bd4c 100644
--- a/drivers/scsi/qedi/qedi_iscsi.c
+++ b/drivers/scsi/qedi/qedi_iscsi.c
@@ -772,7 +772,6 @@ static int qedi_mtask_xmit(struct iscsi_conn *conn, struct iscsi_task *task)
}
cmd->conn = conn->dd_data;
- cmd->scsi_cmd = NULL;
return qedi_iscsi_send_generic_request(task);
}
@@ -783,6 +782,10 @@ static int qedi_task_xmit(struct iscsi_task *task)
struct qedi_cmd *cmd = task->dd_data;
struct scsi_cmnd *sc = task->sc;
+ /* Clear now so in cleanup_task we know it didn't make it */
+ cmd->scsi_cmd = NULL;
+ cmd->task_id = U16_MAX;
+
if (test_bit(QEDI_IN_SHUTDOWN, &qedi_conn->qedi->flags))
return -ENODEV;
@@ -1383,13 +1386,24 @@ static umode_t qedi_attr_is_visible(int param_type, int param)
static void qedi_cleanup_task(struct iscsi_task *task)
{
- if (!task->sc || task->state == ISCSI_TASK_PENDING) {
+ struct qedi_cmd *cmd;
+
+ if (task->state == ISCSI_TASK_PENDING) {
QEDI_INFO(NULL, QEDI_LOG_IO, "Returning ref_cnt=%d\n",
refcount_read(&task->refcount));
return;
}
- qedi_iscsi_unmap_sg_list(task->dd_data);
+ if (task->sc)
+ qedi_iscsi_unmap_sg_list(task->dd_data);
+
+ cmd = task->dd_data;
+ if (cmd->task_id != U16_MAX)
+ qedi_clear_task_idx(iscsi_host_priv(task->conn->session->host),
+ cmd->task_id);
+
+ cmd->task_id = U16_MAX;
+ cmd->scsi_cmd = NULL;
}
struct iscsi_transport qedi_iscsi_transport = {
--
2.30.2
next prev parent reply other threads:[~2021-07-10 2:19 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-10 2:15 [PATCH AUTOSEL 5.13 001/114] leds: tlc591xx: fix return value check in tlc591xx_probe() Sasha Levin
2021-07-10 2:15 ` [PATCH AUTOSEL 5.13 002/114] ASoC: Intel: sof_sdw: add mutual exclusion between PCH DMIC and RT715 Sasha Levin
2021-07-10 2:15 ` [PATCH AUTOSEL 5.13 003/114] ASoC: Intel: sof_sdw: add SOF_RT715_DAI_ID_FIX for AlderLake Sasha Levin
2021-07-10 2:15 ` [PATCH AUTOSEL 5.13 004/114] dmaengine: fsl-qdma: check dma_set_mask return value Sasha Levin
2021-07-10 2:15 ` [PATCH AUTOSEL 5.13 005/114] scsi: arcmsr: Fix the wrong CDB payload report to IOP Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 006/114] srcu: Fix broken node geometry after early ssp init Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 007/114] rcu: Reject RCU_LOCKDEP_WARN() false positives Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 008/114] soundwire: bus: only use CLOCK_STOP_MODE0 and fix confusions Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 009/114] soundwire: bus: handle -ENODATA errors in clock stop/start sequences Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 010/114] usb: dwc3: pci: Fix DEFINE for Intel Elkhart Lake Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 011/114] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 012/114] serial: fsl_lpuart: disable DMA for console and fix sysrq Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 013/114] serial: 8250: of: Check for CONFIG_SERIAL_8250_BCM7271 Sasha Levin
2021-07-10 2:33 ` Florian Fainelli
2021-07-18 0:39 ` Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 014/114] misc/libmasm/module: Fix two use after free in ibmasm_init_one Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 015/114] misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 016/114] ASoC: intel/boards: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 017/114] partitions: msdos: fix one-byte get_unaligned() Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 018/114] iio: imu: st_lsm6dsx: correct ODR in header Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 019/114] iio: gyro: fxa21002c: Balance runtime pm + use pm_runtime_resume_and_get() Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 020/114] iio: magn: bmc150: " Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 021/114] ALSA: usx2y: Avoid camelCase Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 022/114] ALSA: usx2y: Don't call free_pages_exact() with NULL address Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 023/114] Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 024/114] usb: common: usb-conn-gpio: fix NULL pointer dereference of charger Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 025/114] ASoC: SOF: topology: fix assignment to use le32_to_cpu Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 026/114] w1: ds2438: fixing bug that would always get page0 Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 027/114] ASoC: Intel: sof_sdw: add quirk support for Brya and BT-offload Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 028/114] scsi: arcmsr: Fix doorbell status being updated late on ARC-1886 Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 029/114] scsi: hisi_sas: Propagate errors in interrupt_init_v1_hw() Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 030/114] scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 031/114] scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 032/114] scsi: core: Cap scsi_host cmd_per_lun at can_queue Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 033/114] ALSA: ac97: fix PM reference leak in ac97_bus_remove() Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 034/114] ASoC: cs42l42: Fix 1536000 Bit Clock instability Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 035/114] tty: serial: 8250: serial_cs: Fix a memory leak in error handling path Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 036/114] scsi: mpt3sas: Fix deadlock while cancelling the running firmware event Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 037/114] scsi: core: Fixup calling convention for scsi_mode_sense() Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 038/114] scsi: scsi_dh_alua: Check for negative result value Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 039/114] fs/jfs: Fix missing error code in lmLogInit() Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 040/114] scsi: megaraid_sas: Fix resource leak in case of probe failure Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 041/114] scsi: megaraid_sas: Early detection of VD deletion through RaidMap update Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 042/114] scsi: megaraid_sas: Handle missing interrupts while re-enabling IRQs Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 043/114] scsi: iscsi: Stop queueing during ep_disconnect Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 044/114] scsi: iscsi: Add iscsi_cls_conn refcount helpers Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 045/114] scsi: iscsi: Fix conn use after free during resets Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 046/114] scsi: iscsi: Fix shost->max_id use Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 047/114] scsi: qedi: Fix null ref during abort handling Sasha Levin
2021-07-10 2:16 ` Sasha Levin [this message]
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 049/114] scsi: qedi: Fix TMF session block/unblock use Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 050/114] scsi: qedi: Fix cleanup " Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 051/114] mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 052/114] mfd: cpcap: Fix cpcap dmamask not set warnings Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 053/114] char: xillybus: Fix condition for invoking the xillybus/ subdirectory Sasha Levin
2021-07-10 5:17 ` Eli Billauer
2021-07-18 0:43 ` Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 054/114] ASoC: img: Fix PM reference leak in img_i2s_in_probe() Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 055/114] iov_iter_advance(): use consistent semantics for move past the end Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 056/114] fsi: Add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 057/114] serial: tty: uartlite: fix console setup Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 058/114] s390/sclp_vt220: fix console name to match device Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 059/114] s390: disable SSP when needed Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 060/114] selftests: timers: rtcpie: skip test if default RTC device does not exist Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 061/114] iommu/arm-smmu-qcom: Skip the TTBR1 quirk for db820c Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 062/114] USB: core: Avoid WARNings for 0-length descriptor requests Sasha Levin
2021-07-10 6:23 ` Greg Kroah-Hartman
2021-07-18 0:44 ` Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 063/114] ALSA: sb: Fix potential double-free of CSP mixer elements Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 064/114] powerpc/ps3: Add dma_mask to ps3_dma_region Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 065/114] iommu/arm-smmu: Fix arm_smmu_device refcount leak when arm_smmu_rpm_get fails Sasha Levin
2021-07-10 2:17 ` [PATCH AUTOSEL 5.13 066/114] iommu/arm-smmu: Fix arm_smmu_device refcount leak in address translation Sasha Levin
2021-07-10 2:17 ` [PATCH AUTOSEL 5.13 067/114] ALSA: n64: check return value after calling platform_get_resource() Sasha Levin
2021-07-10 2:17 ` [PATCH AUTOSEL 5.13 068/114] ALSA: control_led - fix initialization in the mode show callback Sasha Levin
2021-07-10 2:17 ` [PATCH AUTOSEL 5.13 069/114] ASoC: soc-pcm: fix the return value in dpcm_apply_symmetry() Sasha Levin
2021-07-10 2:17 ` [PATCH AUTOSEL 5.13 070/114] gpio: zynq: Check return value of pm_runtime_get_sync Sasha Levin
2021-07-10 2:17 ` [PATCH AUTOSEL 5.13 071/114] gpio: zynq: Check return value of irq_get_irq_data Sasha Levin
2021-07-10 2:17 ` [PATCH AUTOSEL 5.13 072/114] thunderbolt: Fix DROM handling for USB4 DROM Sasha Levin
2021-07-10 2:17 ` [PATCH AUTOSEL 5.13 073/114] powerpc/inst: Fix sparse detection on get_user_instr() Sasha Levin
2021-07-10 2:17 ` [PATCH AUTOSEL 5.13 074/114] scsi: storvsc: Correctly handle multiple flags in srb_status Sasha Levin
2021-07-10 2:17 ` [PATCH AUTOSEL 5.13 075/114] ALSA: ppc: fix error return code in snd_pmac_probe() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210710021748.3167666-48-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=michael.christie@oracle.com \
--cc=mrangankar@marvell.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox